Identify Maturity Assessment: Where Most Programs Fall Short

Most identity maturity assessments produce a score nobody trusts and a roadmap nobody funds. You run the assessment, get a number between 1 and 5, present it to the board, and then spend the next quarter defending why you're a 2.7 instead of a 3. That is not a program. That is a ritual.

The real problem is not that organizations score low on identity maturity. The real problem is that most assessments measure the wrong things. They count tools deployed and policies documented. They do not measure whether your access controls actually reduce risk, whether your provisioning process creates shadow IT faster than it closes gaps, or whether your identity governance program would survive a real audit with teeth. Scoring high on a maturity model while your contractors have standing admin access is not maturity. It is theater.

This article is for security leaders who are past the basics and want to build an identity program that holds up under pressure. Not pressure from auditors. Pressure from a breach, a merger, a rapid workforce reduction, or a board that suddenly wants to know exactly who has access to what and why. That is the standard worth building toward.

The dominant maturity frameworks, CMMI-derived models, vendor-sponsored assessments, and NIST-aligned scorecards, share a common flaw. They reward documentation and tool deployment over actual risk reduction. You get credit for having a joiner-mover-leaver process. You do not get penalized when that process takes 72 hours and your terminated employees retain access for 48 of them.

A better framing: measure the gap between what your identity controls claim to do and what they actually do under operational conditions. That gap is where breaches live. The 2023 Verizon DBIR found that stolen credentials were involved in 49% of breaches. Most of those organizations had identity programs. They just had programs that looked better on paper than they performed in practice.

Before you run another maturity assessment, define what outcome you are actually trying to measure. Access risk reduction. Time-to-deprovision. Privilege creep rate. Orphaned account count. These are measurable. 'Identity maturity level 3' is not.

After building identity programs across multiple organizations and reviewing dozens of peer programs, five gaps appear consistently. First: provisioning speed versus access accuracy. Fast provisioning that grants excessive access is worse than slow provisioning that gets it right. Second: access reviews that are completed versus access reviews that actually remove access. Most quarterly reviews result in less than 10% of access being revoked. If your revocation rate is under 5%, your review is a checkbox.

Third: privileged access management coverage versus actual privileged account inventory. Most organizations discover 30-40% more privileged accounts than they thought they had when they do a real inventory. Fourth: identity governance that covers employees but ignores service accounts, contractors, and machine identities. In most environments, non-human identities now outnumber human ones. Fifth: incident response that includes identity as a first-class signal versus identity data that sits in a silo your SOC cannot query in real time.

Score yourself honestly on these five gaps before you touch a formal maturity framework. If you have more than two significant gaps, your maturity score is misleading you.

You cannot mature what you cannot see. Most identity programs start with Active Directory and stop there. That leaves out SaaS applications with their own identity stores, cloud IAM roles that were created outside any governance process, service accounts with passwords that have not rotated in three years, and API keys embedded in code repositories.

A real identity inventory covers four categories: human identities across all systems, non-human identities including service accounts and API credentials, privileged identities with elevated access, and orphaned identities with no active owner. For a mid-size organization of 2,000-5,000 employees, expect to find 3x to 5x as many total identities as you have employees once you include all four categories.

The inventory is not a one-time project. It is a continuous control. If your identity count is static between quarters, your discovery process is broken. Identities are created constantly, especially in cloud environments where developers spin up service accounts without going through any formal process.

Every organization accumulates privilege over time. Employees change roles. Projects end. Emergency access gets granted and never revoked. The average employee who has been with an organization for five years has access that reflects every role they have ever held, not the role they hold today. That is privilege creep, and it is the default state of every identity program that does not actively fight it.

The technology to address privilege creep exists. Role-based access control, attribute-based access control, just-in-time access provisioning. These are not new ideas. The reason privilege creep persists is that the process to remove access is harder than the process to grant it. Managers approve access requests in 30 seconds. Access removal requires a campaign, a review cycle, and someone willing to own the risk of breaking something.

Fix the process asymmetry before you buy more tooling. Make access removal the default at role change. Make access expiration the default for elevated permissions. Make the burden of proof fall on keeping access, not removing it. That is a policy decision, not a technology decision.

Your board does not understand identity maturity levels. They understand risk exposure and business impact. Translate accordingly. Three metrics that land well at the board level: percentage of critical system access that is reviewed and certified in the last 90 days, mean time to deprovision terminated employees across all systems, and number of accounts with standing privileged access versus accounts using just-in-time access.

These metrics have a direct line to breach scenarios your board already fears. A terminated employee with active credentials is a liability story. An unreviewed admin account on your ERP system is a fraud story. Frame them that way. 'We have reduced standing privileged access by 40% this year' is a board-level statement. 'We improved our PAM maturity from level 2 to level 3' is not.

Pick two or three metrics and track them consistently for at least four quarters before adding more. Boards trust trends more than snapshots. A metric that moves in the right direction over a year tells a better story than a perfect score at a single point in time.

Many identity maturity assessments are sponsored by vendors who sell identity products. That is not inherently disqualifying, but it creates a predictable bias. The assessment will find gaps that the vendor's product addresses. The roadmap will recommend capabilities the vendor sells. The scoring model will weight the dimensions where the vendor is strongest.

That vendor's TCO calculator conveniently leaves out integration costs, professional services overruns, and the 18 months of internal engineering time required to actually operationalize the platform. A $2M identity governance platform that takes three years to deploy and requires two dedicated FTEs to maintain is not the same investment as the proposal suggests.

Run your own assessment first, using a framework your vendor did not write. NIST SP 800-63, the IDPro Body of Knowledge, or a peer-reviewed model from your industry ISAC. Then use vendor assessments as a second opinion, not a primary source. The gaps they find are real. The solutions they recommend deserve scrutiny.

Identity programs fail not because organizations lack tools but because they lack the people to operate them. A mid-size security team of 15-20 people typically has one or two identity specialists. Those specialists are managing day-to-day operations: provisioning, access reviews, PAM administration. There is no capacity left for program improvement.

The rule of thirds applies here. Roughly one third of your identity team capacity should be on operations, one third on program improvement, and one third on risk advisory work: helping the business understand identity risk in new projects, M&A activity, and cloud migrations. Most teams are 90% operations and 10% everything else. That ratio produces a program that maintains the status quo but never matures.

Before you commit to a maturity improvement roadmap, map your current team capacity honestly. If you do not have the people to operate what you already have, adding more tools and controls will make things worse. Consolidate first. Automate the operational work. Then invest in maturity.

In the first 90 days, focus on visibility and quick wins. Complete a full identity inventory across all four categories. Measure your current time-to-deprovision. Pull your orphaned account count. These are diagnostic steps that cost almost nothing and tell you where your actual risk is concentrated. Fix the top five orphaned account clusters. Enforce MFA on all privileged accounts if you have not already. These are not maturity improvements. They are hygiene corrections that should have been done already.

In the first 12 months, address the process gaps. Redesign your access review process so it produces real revocations, not rubber-stamp approvals. Implement just-in-time access for at least your top-tier privileged accounts. Build a service account governance process that requires an owner and an expiration date for every new service account created. Measure privilege creep rate quarterly.

Over three years, build toward continuous access intelligence. That means identity data flowing into your SIEM and SOAR in real time, access decisions informed by behavioral analytics, and a governance model that can scale to cover non-human identities at the same level of rigor as human ones. That is a realistic three-year horizon for a team of 15-20 people with adequate tooling and executive support. Not six months. Not a vendor's implementation timeline.

Identity maturity is not a score. It is the gap between what your controls claim to do and what they actually do when a terminated employee tries to log in at 2 AM, when an auditor asks for a complete privileged account inventory, or when your SOC needs identity context during an active incident. Close that gap systematically, measure outcomes instead of activities, and build a program your team can actually operate at the staffing levels you have. The organizations that get identity right are not the ones with the most tools. They are the ones with the clearest picture of who has access to what, and the operational discipline to keep that picture accurate.